Javascript sanitization: The most safe way to insert possible XSS html string

javascript xss html-sanitizing
Somebody picture Somebody · Jul 2, 2012 · Viewed 17.6k times · Source

Currently i'm using this method with jQuery solution, to clean string from possible XSS attacks.

sanitize:function(str) {
    // return htmlentities(str,'ENT_QUOTES');
    return $('<div></div>').text(str).html().replace(/"/gi,'&quot;').replace(/'/gi,'&apos;');   
}

But i have a feeling it's not safe enough. Do i miss something?

I have tried htmlentities from phpjs project here: http://phpjs.org/functions/htmlentities:425/

But it's kinda bugged and returns some additional special symbols. Maybe it's an old version?

For example:

htmlentities('test"','ENT_QUOTES');

Produces:

test&amp;quot;

But should be:

test&quot;

How are you handling this via javascript?

Answer

Oleg V. Volkov picture Oleg V. Volkov · Jul 2, 2012

If your string is supposed to be plain text without HTML formatting, just use .createTextNode(text)/assigning to .data property of existing text node. Whatever you put there will always be interpreted as text and needs no additional escaping.

Related questions

How do you use window.postMessage across domains?

It seems like the point of window.postMessage is to allow safe communication between windows/frames hosted on different domains, but it doesn't actually seem to allow that in Chrome. Here's the scenario: Embed an <iframe> (with a …

Read More
How to pass parameters to a Script tag?

I read the tutorial DIY widgets - How to embed your site on another site for XSS Widgets by Dr. Nic. I'm looking for a way to pass parameters to the script tag. For example, to make the following work: &…

Read More
Sanitizing user input before adding it to the DOM in Javascript

I'm writing the JS for a chat application I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not …

Read More